ChrootDirectory on a per key basis

Teemu Ikonen tpikonen at
Fri Oct 24 01:08:44 EST 2008


I'm trying to set up an sftp (sshfs) service accessible to users with
a normal account on a server, but which would be restricted to a
subset of the directory hierarchy normally accessible to the users in
question, in practice a single directory. The idea would be to allow
file access to this directory with a passwordless public key, but keep
rest of the users file accessible only with another, supposedly more
secure key.

I found a way to do this by running a separate sshd on a different
port with 'ChrootDirectory /some-dir' and 'ForceCommand internal-sftp'
configuration variables, but running two sshds is rather inelegent. Is
there a way to force this kind of configuration to only some keys? If
not, could the Match keyword be extended to match only certain keys,
or even better, could a 'chrootdir' option be added to the Authorized
keys format?


More information about the openssh-unix-dev mailing list